Donald Kwakkel created CMIS-939:
-----------------------------------
Summary: Cookie Security: Persistent Cookie is used
Key: CMIS-939
URL: https://issues.apache.org/jira/browse/CMIS-939
Project: Chemistry
Issue Type: Bug
Components: opencmis-client
Affects Versions: OpenCMIS 0.13.0
Reporter: Donald Kwakkel
Storing sensitive data in a persistent cookie can lead to a breach of
confidentiality or account compromise.
Explanation:
Most Web programming environments default to creating non-persistent cookies.
These cookies reside only in browser memory (they are not written to disk) and
are lost when the browser is closed. Programmers can specify that cookies be
persisted across browser sessions until some future date. Such cookies are
written to disk and survive across browser sessions and computer restarts.
If private information is stored in persistent cookies, attackers have a larger
time window in which to steal this data - especially since persistent cookies
are often set to expire in the distant future. Persistent cookies are often
used to profile users as they interact with a site. Depending on what is done
with this tracking data, it is possible to use persistent cookies to violate
users' privacy.
In this case setMaxAge() is called in AbstractBrowserServiceCall.java at line
216 with a non-zero parameter. This max age is also not configurable/possible
to disable.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
